Why CISOs are Investing in Traceable AI

A Discussion with Lemonade CISO Jonathan Jaffe

Why CISOs are Investing in Traceable AI
Why CISOs are Investing in Traceable AI
company
part 
 in a 
 part series
Ashish Kuthiala

Ashish Kuthiala

The Venture Capital marketplace is full of business savvy investors who are looking to invest in innovative technologies that are transforming the way we live and work. Traceable AI launched last summer with the support of $20 million in funding from VCs who recognize the growing security threat APIs pose to every company that uses and builds applications. We at Traceable AI are proud to announce a group of new investors who know firsthand what that threat is all about and how Traceable AI’s approach is key to protecting data, applications and businesses.

Traceable AI has announced a strategic partnership with Silicon Valley CISO Investments (SVCI), an angel syndicate of 55+ practicing CISOs who are putting their money as well as their time and strategic counsel into innovative cybersecurity startups. To find out more about SVCI and what attracted the group to Traceable AI, we conducted a Q&A with one of the SVCI investors, Jonathan Jaffe, CISO at Lemonade.

Can you explain how you became involved in SVCI?

I was part of Security4Startups, a working group focused on helping early-stage executives address security well before they could create a Head of Security role. Through my work there, I got to know Oren Yunger, as well as a group of fellow CISOs with strong collective insight. Together, we decided to form SVCI and harness our professional expertise to help compelling cybersecurity entrepreneurs succeed in a crowded market, and help them build products we’d like to use at our respective companies.

What types of companies do you look to support?

When identifying companies to personally support, I look for a combination of several factors. It’s incredibly important to me that I work with founders that have keen entrepreneurial abilities with a good record and team behind them, and are ready for an early investment opportunity. I also look closely at my own needs as a CISO - if a company is providing a product that solves one of my critical security problems, I’m sure there are other CISOs that could also benefit from the solution. If the implementation does not predominantly rely on those outside of the security organization, that is beneficial as well.

Additionally, I consider the current market for the product — if there is a significant market size that is not filled with industry players, I certainly see that as an opportunity. There needs to be a material competitive advantage to the company as well. In my experience, companies that demonstrate most of these traits, if not all of them, are really poised to do well.

Why SVCI’s investment model as opposed to traditional VC funding?

Traditional investment models depend almost entirely on the knowledge of people who aren't the actual buyers of the products, investing in solutions within industries they just don’t know much about. SVCI, on the other hand, relies on the knowledge of the people who buy security products. We know what we want, but others just guess.

How will SVCI impact the traditional funding model?

I strongly believe in the way SVCI is approaching funding, and I am confident that our model will be used to influence some new funds that will directly involve buyers of the product categories. This is in direct opposition to what today’s funds do, relying on investors who are not product buyers and calling experts to get their opinions.

However, I don't see many funds following our model. Our model is difficult to replicate. It requires getting a large number of experts together, regularly. There are only so many such experts available in a given investment category. Just a few such funds will consume the available number of experts. Therefore, it's a supply problem: the natural limit on funds like ours is low.

How can cybersecurity companies benefit from closer relationships with knowledgeable investors?

It is so beneficial to work with investors that truly know your industry. Cybersecurity companies will materially benefit by asking their potential buyers whether the proposed solution meets the buyer's needs - these are the people who deal with the product everyday! If you can look at the needs of industry professionals and iterate the development of your solution so it exceeds those, there will be a significant advantage.

Why Traceable?

The Traceable approach fundamentally differs from others in that it understands the application's intent, as well as what correct and incorrect usage behavior is. No other product does this. Most act as cudgels, whereas Traceable is more like a scalpel.

Additionally, Traceable’s ability to discover, in real time, all endpoints as well as understand correct and incorrect usage of those endpoints and take decisive action is without real competition so far.

Following a year of uncertainty and massive changes, how have CISO’s priorities shifted?

CISOs are in the throes of dealing with an explosion of API endpoints within their own applications. CISOs struggle to keep up with this explosion. Developers can add between 5 and 50 endpoints in a single day. Each endpoint represents another exploitation point. Endpoint proliferation can't be contained lest you destroy a company's ability to continually develop and improve products. The only reasonable way to deal with endpoint proliferation is to automatically learn about new endpoints, and apply microservice-level controls to them.

How will the role of the CISO change in the next five years?

It’s hard to know for sure. I anticipate that CISOs will have to increasingly rely on security automation due to the rapid increase in the number of services their companies offer. Perhaps toward this end, CISOs will have to add to their teams security-focused data science teams. But really, I just don't know. Five years is a long ways out.

What new cybersecurity trends, threats, and technology can we expect to emerge in 2021?

New trends in cybersecurity revolve around automating remediation. As for threats, I'm never bored by the new threats that come at us. This year, I expect to see a rapid increase in supply chain attacks through SaaS vendors, where attackers infiltrate services through integrations to Slack, Zoom, or Google Workspaces, for example, worming their way into those companies' customers' resources. APIs are the roads on which attackers will travel to make these supply chain attacks.

How will the role of APIs evolve in the next five years?

Five year predictions are just far enough away to be forgotten when you should be proven wrong. That said, I imagine APIs will have some intelligence built into them by default. Perhaps standing up APIs will always include zero-trust authentication, for example. It's all just a guess, of course. But the hope is APIs will cease to serve as a path into the software supply chain for threat actors.

To learn more about Traceable you can watch a recorded demo of Traceable Defense AI in action.

Ashish Kuthiala

Recommended reads.